Interview

Study: Employees still balk at security

Dennis Fisher

Were you surprised by so many people still seem unaware of security issues?

Requires Free Membership to View

Security has this incorrect perception of being hard.
John Stewart,
CSOCisco Systems Inc.

 It tells me that increasingly we're beginning to rely on our corporations for the IT support we need in our daily lives. The desire to use Internet connectivity for personal life is still very much there and the IT arm of your company is the one you're calling in order to get it done. Even for me as a practitioner, the IT task is quite complex. And that's part of the reason IT departments are being leaned on because the experience level is there. The threat level is more complex in one way and diversified in many different categories. So there's a hope that the IT team at their company will take care of them. Inside of Cisco do you see this same level of unawareness of security?
Awareness is up. Security has this incorrect perception of being hard. People take steps to increase their security posture largely because they have to or they've had their personal data lifted off their computer or because they're driven to be security conscious. There's a certain class of folks who have just grown up in their lives with the fact that it's an important topic. How much have you taken a look at both IE 7 and the early builds and release candidates of Windows Vista and the security upgrades that they've made?
I'm always interested in how every vendor increases the security posture of their products. I'm pleased to see the advancements in terms of Mac OS X to Solaris 10 to the work Microsoft has done in IE7, which has just been released. So I think customers have demonstrated that security is what is now expected during the buying process.

Cisco in the news:
Microsoft, Cisco work on security cooperation

Microsoft, Cisco announce joint NAC/NAP architecture

One of the trends in this industry that Microsoft and Cisco have seen is that customers frequently say that they want reliability. In earlier conversations, they said they wanted speed. Now consumers are saying they want both of those. It used to be that when you had speed then reliability was less of an issue. In other words, it was largely accepted that networks would go up and down, as long as they were fast when they were up. Then it moved to: I want it fast and I want it up all the time. Now it's moved to: I want it fast, up and I want security baked in. And I think that's terrific, because in my own opinion that's why Vista has an increasing level of security inside. Microsoft is reacting just as they should by listening to their customers and then building within that.

Now that being said, we all know no matter how much energy we put into [our products] there will always be flaws within them. It's largely inevitable. That's why I work with everything from independent research to outside consulting teams. The scrutiny our products are all going through is vital. With everyone building security into their products, do you see five or 10 years down the road that there's going to be less room for third-party security vendors?
No. It's primarily because of everything from heterogeneity to the fact that threat models move really quickly. There will always be a way for new companies to come out and solve a problem that we haven't solved yet. What I do see is continued consolidation of security companies and that's because there is a desire to reduce the complexity of environments. How far along are you internally in deploying NAC?
We have got NAC framework at Layer 3, which is the routing version, at 100 different locations. I was just talking today about where we're going to put the NAC appliance, which we have not yet deployed in production. We intend to put it in at least two different locations, one of which is between the company and the labs we run. And we're exploring putting it between two different companies where we collaborate with another business. We've upgraded almost all of our network so it's ready for the Layer 2 solution if we want to go all the way to the port level, and we're working with the engineering division on the release of that software, which is just coming available now at Layer 2 switching. And so far are you happy with how it works in production?
Absolutely, but I'll tell you that we've been surprised a lot. One of the amazing things about deploying it is you can start learning what's on your infrastructure. When you start doing something like this, you find that the sales team might be running Macs, or they're running a Linux kit. Or you find how many versions of printer software are out there. You start seeing things you wouldn't have necessarily known or devices that are attaching to your network that normally wouldn't be connecting. So in field sales offices they're demonstrating the product by attaching it to our company network to prove the network topology and they're doing it on the production side. That's not surprising, but to prove it with empirical data is a way to measure it and see what you want to do about it. It removes the guessing and assumption game quite a bit.